1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-24 22:01:20 +00:00

Add dhparam generation support

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-10-08 13:17:50 +02:00
parent c7d655ffed
commit 2f084643bf
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
2 changed files with 46 additions and 1 deletions

View file

@ -56,6 +56,16 @@ You need to create a folder containing two files: `client.conf` and `server.conf
</key>
```
For the server configuration an additional block is available in case you don't want to generate your DH parameters with an external command:
```
<dh>
{{ dhparam <bitsize> [generator] }}
</dh>
```
In this function call you must specify `<bitsize>` (for example `2048`) and may specify the `[generator]`. If the generator is not specified the default generator is set to `2`. Please ensure you are not using this block in your `client.conf` as OpenVPN will not accept it there.
The configurations generated by this tool will not need multiple files but include the certificates inside the configuration. This makes it far more easy to pass them to your users. No unzip, no questions where to put the files, mostly the OpenVPN clients will know how to handle something called `my-vpn.conf`.
After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration:

View file

@ -9,10 +9,12 @@ import (
"io/ioutil"
"os"
"path"
"strconv"
"strings"
"text/template"
"time"
dhparam "github.com/Luzifer/go-dhparams"
"github.com/hashicorp/vault/api"
log "github.com/sirupsen/logrus"
"github.com/spf13/viper"
@ -215,7 +217,9 @@ func renderTemplate(tplName string, tplv *templateVars) error {
return err
}
tpl, err := template.New("tpl").Parse(string(raw))
tpl, err := template.New("tpl").Funcs(template.FuncMap{
"dhparam": generateDHParam,
}).Parse(string(raw))
if err != nil {
return err
}
@ -233,3 +237,34 @@ func validateSerial(serial string) bool {
// Also very basic check, also here Vault does the real validation
return len(strings.Split(serial, ":")) > 1
}
func generateDHParam(name string, v ...string) (interface{}, error) {
bits, err := strconv.Atoi(name)
if err != nil {
return nil, fmt.Errorf("Unable to parse bit size: %s", err)
}
var generator int = 2
if len(v) > 0 {
if generator, err = strconv.Atoi(v[0]); err != nil {
return nil, fmt.Errorf("Unable to parse generator: %s", err)
}
if generator != 2 && generator != 5 {
return nil, errors.New("Only generators 2 and 5 are supported")
}
}
dh, err := dhparam.Generate(bits, dhparam.Generator(generator), nil)
if err != nil {
return nil, fmt.Errorf("Unable to generate DH parameters: %s", err)
}
p, err := dh.ToPEM()
if err != nil {
return nil, fmt.Errorf("Unable to encode DH parameters: %s", err)
}
return string(p), nil
}